Free DNS Security Check

Free DNS Security Check

Free tool

Check DNSSEC, CAA records, wildcard exposure, and subdomain takeover risks in 60 seconds. Stops hijacking and rogue cert issuance before attackers find the gap.

  • DNSSEC & CAA
  • Wildcard review
  • Cache poisoning risks
No credit card requiredProduction-safe (100% passive)No setup or code required
Trusted by 4,500+ security & engineering teams
Oracle logoShopify logoGoDaddy logoChubb logoToshiba logoMAPFRE logoBelfius logoGBG logoWEKA logoShift Technology logoCarsome logoGrandstream logoSuzano logoHolcim logo

What you get for free

18 core security checks via this tool, passive scans, step-by-step remediation, security score on every result.

What Essential adds at $39/mo

+17 advanced checks, continuous monitoring, daily security score history, email alerts, GitHub SAST, board-ready PDFs, SOC 2 / ISO 27001 / PCI reports.

How to improve DNS security

DNSSEC Implementation:
  • Enable DNSSEC at your domain registrar or DNS provider
  • Generate and configure DNSKEY records
  • Publish DS records with your registrar
  • Monitor DNSSEC chain of trust regularly
CAA Record Configuration:
  • Add CAA records to control certificate issuance
  • Specify authorized Certificate Authorities
  • Configure wildcard certificate policies
  • Set up violation reporting (iodef)
DNS Security Hardening:
  • Remove unnecessary wildcard DNS records
  • Implement proper TTL values to prevent DNS rebinding
  • Secure subdomains to prevent takeover attacks
  • Monitor DNS changes and anomalies

Why DNS Security Matters

Attack Prevention:
  • Prevents DNS hijacking and cache poisoning attacks
  • Protects against subdomain takeover vulnerabilities
  • Reduces risk of certificate mis-issuance
  • Mitigates DNS-based DDoS amplification attacks
Data Integrity:
  • Ensures DNS responses haven't been tampered with
  • Validates authenticity of DNS records
  • Provides cryptographic proof of DNS data integrity
  • Protects against man-in-the-middle DNS attacks
Compliance & Trust:
  • Meets security compliance requirements
  • Enhances user trust and confidence
  • Demonstrates security best practices
  • Reduces liability from security incidents

What this checker validates

DNSSEC Validation:
  • DNSSEC detection (DNSKEY, RRSIG, NSEC, NSEC3, DS records)
  • DS (Delegation Signer) record presence in parent domain
  • Basic chain of trust validation for DNSSEC records
Certificate Authority Authorization (CAA):
  • CAA record presence detection
DNS Security Risks:
  • Wildcard DNS record detection and exposure analysis
  • DNS amplification vulnerability assessment (ANY query responses)
  • Cache poisoning vulnerability testing (predictable transaction IDs)
  • DNS rebinding vulnerability detection (short TTL values)
  • Comprehensive subdomain takeover vulnerability detection
DNS Configuration Analysis:
  • TTL (Time To Live) minimum value analysis
  • Subdomain takeover vulnerability detection

Across 1,409 recent DNS checks, 100% have at least one gap in DNSSEC or CAA records. DNS posture is the most-overlooked surface in production security.

Implementation examples

Once you've identified the gap, applying the fix is straightforward. Here are the three configurations developers reach for most often to lock down certificate issuance with CAA records.

BIND zone file

$TTL 3600
example.com.   IN  CAA  0 issue "letsencrypt.org"
example.com.   IN  CAA  0 issuewild ";"
example.com.   IN  CAA  0 iodef "mailto:security@example.com"

Cloudflare API

POST /client/v4/zones/{zone_id}/dns_records
{
  "type": "CAA",
  "name": "example.com",
  "data": { "flags": 0, "tag": "issue", "value": "letsencrypt.org" },
  "ttl": 3600
}

AWS Route 53 (change-resource-record-sets)

{
  "Changes": [{
    "Action": "UPSERT",
    "ResourceRecordSet": {
      "Name": "example.com.",
      "Type": "CAA",
      "TTL": 3600,
      "ResourceRecords": [
        { "Value": "0 issue \"letsencrypt.org\"" },
        { "Value": "0 issuewild \";\"" },
        { "Value": "0 iodef \"mailto:security@example.com\"" }
      ]
    }
  }]
}

Tool-specific questions

What is DNSSEC and why is it important?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, ensuring data integrity and authenticity. Our checker detects the presence of DNSSEC records (DNSKEY, RRSIG, NSEC, NSEC3, DS) and validates basic chain of trust, which helps prevent DNS hijacking and cache poisoning attacks.

How do I enable DNSSEC for my domain?

Enable DNSSEC at your domain registrar or DNS provider, generate DNSKEY records, and publish DS (Delegation Signer) records with your registrar. The process varies by provider, but most offer automated DNSSEC setup. Expect some propagation time for full deployment.

What are CAA records and how do they improve security?

CAA (Certificate Authority Authorization) records specify which Certificate Authorities can issue SSL/TLS certificates for your domain. Our checker detects the presence of CAA records, which is the first step in preventing unauthorized certificate issuance and reducing the risk of certificate-based attacks.

What's the difference between DNS and DNSSEC?

DNS is the system that translates domain names to IP addresses. DNSSEC adds cryptographic signatures to DNS records, ensuring the data hasn't been tampered with. While DNS provides the service, DNSSEC provides the security layer to protect against attacks.

Can DNSSEC impact website performance?

DNSSEC can slightly increase DNS response sizes due to cryptographic signatures, but the performance impact is minimal for most websites. The security benefits far outweigh the small performance cost, and modern DNS infrastructure handles DNSSEC efficiently.

What are wildcard DNS records and why are they risky?

Wildcard DNS records (*.domain.com) resolve any subdomain to the same IP address. While convenient, they can expose unintended services, enable subdomain takeover attacks, and make it harder to track legitimate subdomains. Use specific records when possible.

How often should I review my DNS security configuration?

Review DNS security settings quarterly or after any infrastructure changes. Monitor for unauthorized DNS changes, check DNSSEC chain of trust, and verify CAA record compliance. Use Barrion's continuous monitoring to track DNS security posture over time.

What's DNS cache poisoning and how does DNSSEC prevent it?

DNS cache poisoning occurs when attackers inject false DNS records into DNS caches. DNSSEC prevents this by cryptographically signing DNS records, making it impossible to forge responses without the private key. This ensures users receive authentic DNS data.

What is subdomain takeover and how does your checker detect it?

Subdomain takeover occurs when a subdomain points to a service that no longer exists, allowing attackers to claim it. Our checker performs comprehensive subdomain takeover detection by identifying subdomains that point to abandoned services, expired domains, or unclaimed cloud resources.
Why Barrion

Built for the engineers who already have enough to fix.

Speed

Real-time results

Instant analysis with a detailed report. You see findings as the scan runs, not after.
Coverage

Comprehensive checks

35+ checks per scan covering TLS, headers, CORS, cookies, DNS, email auth, and more, in a single pass.
Action

Step-by-step fixes

Every finding ships with the exact remediation step for your framework. Hand it to the engineer who owns the surface.
FAQ

Frequently asked.

What is Barrion and how does it enhance website security?
Barrion is a security testing and monitoring platform for engineering teams, and it works in three ways. Passive scanning keeps a continuous, read-only watch over your live web apps and APIs. Codebase scanning connects to GitHub and checks your code for hard-coded secrets, insecure patterns and vulnerable dependencies. AI pentesting goes on the offensive, running agent-driven attacks that prove which vulnerabilities are genuinely exploitable. Every finding comes with a step-by-step fix you can ship right away.
How safe is Barrion to use for security testing?
Passive scanning and codebase scanning are completely safe to run, including against production. Passive scans only read your live app, so we never submit forms, brute-force endpoints or touch anything that changes state, and codebase scanning just reads your repository. AI pentesting is more aggressive by design, since its job is to confirm real exploits, so it runs rate-limited and non-destructive, and you agree the scope with us before it starts.
What types of security issues does Barrion identify?
It depends on the surface. On your live apps, Barrion catches misconfigurations across TLS and HTTPS, security headers, cookie flags, CORS policy, DNS records, email authentication (SPF, DKIM, DMARC), network exposure and the usual web hygiene gaps. In your codebase it finds secrets committed to the repo, insecure code patterns and vulnerable dependencies. AI pentesting surfaces the exploitable stuff, like SQL injection, cross-site scripting and broken access control, each one backed by proof it can actually be exploited.
What specific security checks does Barrion perform?
For live apps it checks TLS and HTTPS configuration, HTTP security headers, cookie flags, CORS policy, DNS and email authentication records, network exposure and common web hygiene issues. In your codebase it looks for hard-coded secrets, insecure patterns and vulnerable dependencies. AI pentesting takes it further by actively chaining requests to confirm exploitable flaws. Whatever the source, findings are ranked by severity and come with clear, step-by-step remediation.
What is Barrion's smart crawling?
Smart crawling automatically discovers the pages and endpoints of your app so scans cover the surface that matters, without you manually listing every URL.
How often does Barrion perform security scans?
You can run a scan manually whenever you want. Continuous monitoring of your live apps runs on its own (weekly and up on Essential, daily on Business), codebase scans can fire on every commit or pull request, and we alert you the moment something new shows up.
Is Barrion suitable for security testing of all business sizes?
Yes. Live-app monitoring, codebase scanning through GitHub and AI pentesting all work just as well for a solo developer as for a startup, a scale-up or an enterprise security team, without adding headcount.
How does Barrion handle data security and privacy during security testing?
Live-app and codebase scans are read-only by default, and we never store or expose sensitive data from your application. AI pentests are rate-limited and non-destructive, built to confirm whether something is exploitable without altering your data or affecting availability.
What if I'm not satisfied with Barrion's security testing service?
Paid plans start with a free trial, and you can cancel anytime. If something isn't right, contact us and we'll make it work for your team.
How does Barrion help with SOC 2, ISO 27001, NIS2, and other compliance frameworks?
Barrion produces audit-ready PDF and CSV reports suitable for SOC 2, ISO 27001, PCI DSS and NIS2, ready to share with auditors, customers and your board.

Anything else? Email contact@barrion.io.

Run a full report on your site.

Free first scan covers every check, no signup needed. Sign up to save the report and turn on continuous monitoring.